Microsoft tacks up first wanted poster, debuts temp bounty for IE11 bugs

Better late to the party than never, say security experts

Microsoft on Wednesday backpedaled from a long-standing refusal to pay bug bounties when it announced a temporary program for the beta of Internet Explorer 11 (IE11).

The Internet Explorer 11 Preview Bug Bounty will start June 26, the day the browser launches alongside Windows 8.1 at the BUILD developer conference, and will run until July 26. During the 30 days, Microsoft will pay researchers up to $11,000 for each vulnerability they find and report to the company.

Microsoft has repeatedly rejected the idea of joining rivals, such as Google and Mozilla, in paying for bugs. In 2011, the company insisted a just-announced contest was a better use of its money than paying for bugs one by one.

Also yesterday, Microsoft expanded that 2011 contest -- then labeled the "BlueHat Prize" -- into an ongoing "BlueHat Bonus for Defense" initiative that will pay researchers up to $50,000 for fresh defensive security solutions.

The big money was reserved for another new program, dubbed "Mitigation Bypass Bounty," that will award up to $100,000 for any novel exploitation technique able to circumvent Windows 8.1's many defenses.

Only the IE11 preview program is a true bug bounty -- one that pays researchers for each unknown vulnerability they report -- but security experts were impressed nonetheless.

"We've waited years for this, and they're doing it in classic Microsoft fashion ... they're putting their own twist on a bug bounty by only paying for bugs in a beta," said Andrew Storms, director of security operations at Tripwire nCircle. "I can see the reasoning behind that, because beta is when bugs ought to be found."

Chris Wysopal, co-founder and CTO of Veracode, a Burlington, Mass. firm that develops application security testing and risk management software, agreed, but couldn't resist poking Microsoft.

"I've been a fan of bug bounties for a long time, and in 2010, after Google started paying for bugs, predicted that Microsoft would, too," said Wysopal. "It took them a good three years to do this. But they came up with a new twist which no one had tried before."

In 2010, Wysopal wrote a blog post in which he forecast that Microsoft would "cave to industry pressure as they are hit with more uncoordinated disclosures than their peers," and kick off a bounty program.

The limited-time IE11 bounty offer was triggered by a realization that researchers waited until after IE10 went final, or reached what Microsoft calls "release to manufacturing," or RTM, to report bugs, said Katie Moussouris, a senior security strategist lead with the company.

IE10, the immediate predecessor to IE11, shipped last October for Windows 8. It reached RTM along with that operating system in late August 2012, having been in beta, or as Microsoft called it, "preview," for almost a year.

"The researchers were looking for vulnerabilities [in IE10], but they were holding on to them," said Moussouris, not reporting them either to Microsoft directly, or more importantly, to the third-party bug bounty brokers like HP TippingPoint's Zero Day Initiative and VeriSign's iDefense, that pay, sometimes handsomely, for vulnerabilities. "We didn't want to wait for all the vulnerabilities until after RTM, because it was much better that we get them as early as possible."

Brokers such as TippingPoint and iDefense have policies that preclude bounties for bugs in betas, in part because there's no way they can know whether the flaws will be fixed or left untouched by the time a product is completed and shipped to customers.

The rewards for IE11 bugs, which range from $500 to over $11,000, are meant to shake those bugs from the researcher trees before IE11 is released to the public.

"We're projecting that the rewards will be enough to motivate them, so we have a chance of addressing as many [bugs] as possible by RTM, before customers will have deployed the software," said Moussouris in an interview.

Wysopal thought the move made a lot of sense. "It will save them money during the beta," he said. "I've heard that it costs them $100,000 to test and ship a patch."

Both Storms and Wysopal believed that the IE11 program was just a first step by Microsoft into a more comprehensive bounty model, and that the company would add other software to the deal down the road.

"I think they're going to continue this for other software, and they really should. I imagine a lot of people will ask them to do that," said Storms.

"I'm not sure why they wouldn't open it up [to other betas]," echoed Wysopal. "I actually think they will, that this is a way to start out small."

Microsoft's Moussouris declined to answer when asked if the IE11 bounty would be expanded to other programs during their testing, or why it won't continue the program longer than 30 days, and in essence compete with the bug brokers for researchers' discoveries. Instead, she acknowledged only that Microsoft would learn from the IE11 program, go through the data -- the number of vulnerabilities reported, for instance -- and perhaps apply the lessons in the future.

But Moussouris made it sound as if Microsoft had absolutely no interest in launching a full-scale bug bounty, even though, by her own admission, Microsoft was now relying far more on reports from brokers than it did two years ago. "We will not disrupt the [brokers'] business model," she said.

After all, why would Microsoft want to change the landscape? Why would it want to lay out money when it doesn't have to, when bug brokers like TippingPoint and iDefense hand over bugs for free?

That's a point critics have made for years, that the company, with billions in revenue, gets researchers to uncover and submit vulnerabilities, either directly or through the brokers, without spending a dime. Comparisons to Google, which awarded nearly $380,000 in bounties for its Chrome browser alone last year -- and has paid over $213,000 so far this year -- come easy.

Yet yesterday's move, small as it was, still collected praise from the experts.

"This is a big deal for Microsoft because they've been pretty obstinate about not paying for bugs," observed Storms. "They're doing it in a way that's comfortable for them, and when you think about it, it's a great compromise compared to what we've seen from them in the past."

Microsoft has published guidelines for the IE11 Preview Bug Bounty program on its website. As in 2011's BlueHat Prize contest, researchers will retain any intellectual rights related to their discoveries, but must license those rights to Microsoft on a royalty-free basis.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed . His email address is

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Cybercrime and HackingGoogleMicrosoftsecurityMalware and Vulnerabilitiesmozilla

More about Andrew Corporation (Australia)AppleGoogleHPiDefenseMicrosoftMozillanCircleTippingPointTippingPointTopicTripwireVeriSign Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts